Unexpected behavior in permissive mode

Joseph L. Casale jcasale at activenetwerx.com
Thu Apr 9 00:55:20 UTC 2015 

> What does if you switch the SELinux mode (which resets AVC cache)
>
> # setenforce 1; setenforce 0
>
> and then re-test it?
>
> Could you also post full raw AVC?

Hi Miroslav,
Thanks for the pointer about resetting the cache, that helped.

After running the backup in permissive mode, I get the following:

type=AVC msg=audit(1428538766.224:2373): avc:  denied  { execute } for  pid=32056 comm="bacula-fd" name="su" dev="dm-0" ino=18110620 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:su_exec_t:s0 tclass=file
type=AVC msg=audit(1428538766.224:2373): avc:  denied  { execute_no_trans } for  pid=32056 comm="bacula-fd" path="/usr/bin/su" dev="dm-0" ino=18110620 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:su_exec_t:s0 tclass=file
type=AVC msg=audit(1428538766.343:2374): avc:  denied  { create } for  pid=32056 comm="su" scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:system_r:bacula_t:s0 tclass=netlink_selinux_socket
type=AVC msg=audit(1428538766.343:2375): avc:  denied  { bind } for  pid=32056 comm="su" scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:system_r:bacula_t:s0 tclass=netlink_selinux_socket
type=AVC msg=audit(1428538766.343:2376): avc:  denied  { compute_av } for  pid=32056 comm="su" scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=security
type=AVC msg=audit(1428538766.344:2377): avc:  denied  { create } for  pid=32056 comm="su" scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:system_r:bacula_t:s0 tclass=netlink_audit_socket
type=AVC msg=audit(1428538766.344:2378): avc:  denied  { nlmsg_relay } for  pid=32056 comm="su" scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:system_r:bacula_t:s0 tclass=netlink_audit_socket
type=AVC msg=audit(1428538766.344:2378): avc:  denied  { audit_write } for  pid=32056 comm="su" capability=29  scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:system_r:bacula_t:s0 tclass=capability
type=USER_AVC msg=audit(1428538766.344:2379): pid=32056 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:bacula_t:s0 msg='avc:  denied  { passwd } for  scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:system_r:bacula_t:s0 tclass=passwd  exe="/usr/bin/su" sauid=0 hostname=? addr=? terminal=?'
type=AVC msg=audit(1428538766.345:2383): avc:  denied  { setsched } for  pid=32056 comm="su" scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:system_r:bacula_t:s0 tclass=process
type=AVC msg=audit(1428538766.345:2384): avc:  denied  { write } for  pid=32056 comm="su" name="system_bus_socket" dev="tmpfs" ino=14052 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1428538766.345:2384): avc:  denied  { connectto } for  pid=32056 comm="su" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket
type=USER_AVC msg=audit(1428538766.370:2385): pid=694 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=32056 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1428538766.374:2386): pid=694 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.login1.Manager member=CreateSession dest=org.freedesktop.login1 spid=32056 tpid=693 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1428538766.393:2391): pid=694 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.1688 spid=693 tpid=32056 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:bacula_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=AVC msg=audit(1428538766.393:2392): avc:  denied  { write } for  pid=32056 comm="su" name="lastlog" dev="dm-0" ino=8572341 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:lastlog_t:s0 tclass=file
type=AVC msg=audit(1428538766.424:2394): avc:  denied  { execute } for  pid=32063 comm="bash" name="hostname" dev="dm-0" ino=16887470 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file
type=AVC msg=audit(1428538766.424:2394): avc:  denied  { execute_no_trans } for  pid=32063 comm="bash" path="/usr/bin/hostname" dev="dm-0" ino=16887470 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file
type=AVC msg=audit(1428538773.500:2395): avc:  denied  { write } for  pid=32056 comm="su" name="system_bus_socket" dev="tmpfs" ino=14052 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file

which generates the following policy:

require {
        type su_exec_t;
        type system_dbusd_var_run_t;
        type security_t;
        type system_dbusd_t;
        type systemd_logind_t;
        type lastlog_t;
        type hostname_exec_t;
        type bacula_t;
        class process setsched;
        class unix_stream_socket connectto;
        class dbus send_msg;
        class capability audit_write;
        class passwd passwd;
        class netlink_selinux_socket { bind create };
        class file { write execute execute_no_trans };
        class netlink_audit_socket { nlmsg_relay create };
        class sock_file write;
        class security compute_av;
}

#============= bacula_t ==============
allow bacula_t hostname_exec_t:file { execute execute_no_trans };
allow bacula_t lastlog_t:file write;
allow bacula_t security_t:security compute_av;
allow bacula_t self:capability audit_write;
allow bacula_t self:netlink_audit_socket { nlmsg_relay create };
allow bacula_t self:netlink_selinux_socket { bind create };
allow bacula_t self:passwd passwd;
allow bacula_t self:process setsched;
allow bacula_t su_exec_t:file { execute execute_no_trans };
allow bacula_t system_dbusd_t:dbus send_msg;
allow bacula_t system_dbusd_t:unix_stream_socket connectto;
allow bacula_t system_dbusd_var_run_t:sock_file write;
allow bacula_t systemd_logind_t:dbus send_msg;

#============= systemd_logind_t ==============
allow systemd_logind_t bacula_t:dbus send_msg;

And after loading this I get the following which was not present initially:

type=AVC msg=audit(1428539366.385:377): avc:  denied  { execute } for  pid=2809 comm="su" name="unix_chkpwd" dev="dm-0" ino=25441120 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file
type=AVC msg=audit(1428539366.386:378): avc:  denied  { write } for  pid=2808 comm="su" name="btmp" dev="dm-0" ino=9085718 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:faillog_t:s0 tclass=file

So rebuilding from the new output yields:

require {
        type system_dbusd_var_run_t;
        type security_t;
        type faillog_t;
        type chkpwd_exec_t;
        type systemd_logind_t;
        type hostname_exec_t;
        type bacula_t;
        type su_exec_t;
        type lastlog_t;
        type system_dbusd_t;
        class process setsched;
        class unix_stream_socket connectto;
        class dbus send_msg;
        class capability audit_write;
        class passwd passwd;
        class netlink_selinux_socket { bind create };
        class file { write execute execute_no_trans };
        class netlink_audit_socket { nlmsg_relay create };
        class sock_file write;
        class security compute_av;
}

#============= bacula_t ==============
allow bacula_t chkpwd_exec_t:file execute;
allow bacula_t faillog_t:file write;
allow bacula_t hostname_exec_t:file { execute execute_no_trans };
allow bacula_t lastlog_t:file write;
allow bacula_t security_t:security compute_av;
allow bacula_t self:capability audit_write;
allow bacula_t self:netlink_audit_socket { nlmsg_relay create };
allow bacula_t self:netlink_selinux_socket { bind create };
allow bacula_t self:passwd passwd;
allow bacula_t self:process setsched;
allow bacula_t su_exec_t:file { execute execute_no_trans };
allow bacula_t system_dbusd_t:dbus send_msg;
allow bacula_t system_dbusd_t:unix_stream_socket connectto;
allow bacula_t system_dbusd_var_run_t:sock_file write;
allow bacula_t systemd_logind_t:dbus send_msg;

#============= systemd_logind_t ==============
allow systemd_logind_t bacula_t:dbus send_msg;


Which adds:
allow bacula_t chkpwd_exec_t:file execute;
allow bacula_t faillog_t:file write;

However, after removing the old and loading this new policy I get another denial:

type=AVC msg=audit(1428540219.458:501): avc:  denied  { execute_no_trans } for  pid=4309 comm="su" path="/usr/sbin/unix_chkpwd" dev="dm-0" ino=25441120 scontext=system_u:system_r:bacula_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file

Rerunning the backup yields this same avc, and audit2allow would suggest its permitted.

Thanks so much for assistance.
jlc

More information about the selinux mailing list